Tag Archives: discovered

A serious vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.

The worst part is that this vulnerability will not be patched by Microsoft anytime soon.

It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.

The vulnerability has been discovered and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype’s update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking.

According to the researcher, a potential attacker could exploit the “functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories.”

The exploitation of this preferential search order would allow the attacker to hijack the update process by downloading and placing a malicious version of a DLL file into a temporary folder of a Windows PC and renaming it to match a legitimate DLL that can be modified by an unprivileged user without having any special account privileges.

When Skype’s update installer tries to find the relevant DLL file, it will find the malicious DLL first, and thereby will install the malicious code.

Although Kanthak demonstrated the attack using the Windows version of Skype, he believes the same DLL hijacking method could also work against other operating systems, including Skype versions for macOS and Linux.

Kanthak informed Microsoft of the Skype vulnerability back in September, but the company told him that the patch would require the Skype update installer go through “a large code revision,” Kanthak told ZDNet.

So rather than releasing a security update, Microsoft decided to build an altogether new version of the Skype client that would address the vulnerability.

It should be noted that this vulnerability only affects the Skype for the desktop app, which uses its update installer which is vulnerable to the DLL hijacking technique. The Universal Windows Platform (UWP) app version available from the Microsoft Store for Windows 10 PCs is not affected.

The vulnerability has been rated as “medium” in severity, but Kanthak said, “the attack could be easily weaponized.” He gave two examples, which have not been released yet.

Until the company issues an all-new version of Skype client, users are advised to exercise caution and avoid clicking on attachments provided in an email. Also, make sure you run appropriate and updated anti-virus software that offers some defence against such attacks.

This is not the first time Skype has been dealing with a severe security flaw. In June 2017, a critical flaw in Skype was revealed before Microsoft released a fix for the issue that allowed hackers to crash systems and execute malicious code in them.

Last month, among several messaging applications, Skype was also dealing with a critical remote code execution vulnerability in Electron—a popular web application framework widely-used in desktop applications.

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.

Here’s How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named “photo_high_re*U+202E*gnp.js” in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

“As a result, users downloaded hidden malware which was then installed on their computers,” Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: “at the time of publication, the zero-day flaw has not since been observed in messenger’s products.”

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

“After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools,” the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as “all the exploitation cases that [the researchers] detected occurring in Russia,” and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

Security researchers have discovered a custom-built piece of malware that’s wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.

Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.

Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.

However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.

The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.

Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.

If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting “down.pzchao.com,” which resolved to an IP address (125.7.152.55) in South Korea at the time of the investigation.

The threat actors behind the attack campaign have control over at least five malicious subdomains of the “pzchao.com” domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.

The payloads deployed by the threat actors are “diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system,” researchers noted.

The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a ‘java.exe’ file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.

For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.

PZChao’s final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.

The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:

Real-time and offline remote keystroke logging

Listing of all active processes and opened windows

Listening in on conversations via microphone

Eavesdropping on webcams’ live video feed

Allowing for remote shutdown and reboot of the system

Downloading binaries from the Internet to remote host

Modifying and stealing files and more.

All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims and exfiltrate confidential data easily.

While the tools used in the PZChao campaign are a few years old, “they are battle-tested and more than suitable for future attacks,” researchers say.

Active since 2010, Iron Tiger, also known as “Emissary Panda” or “Threat Group-3390,” is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.

For further insights, you can read the detailed technical paper [PDF] published by Bitdefender.

A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users’ accounts, including their personal documents and records, vulnerable to remote hackers.

According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on February 2, the Chrome and Firefox extension of Grammarly exposed authentication tokens to all websites that could be grabbed by remote attackers with just 4 lines of JavaScript code.

In other words, any website a Grammarly user visits could steal his/her authentication tokens, which is enough to login into the user’s account and access every “documents, history, logs, and all other data” without permission.

“I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy said in a vulnerability report. “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger this serious bug to steal Grammarly user’s access token with just four lines of code.

This high-severity flaw was discovered on Friday and fixed early Monday morning by the Grammarly team, which, according to the researcher, is “a really impressive response time” for addressing such bugs.

Security updates are now available for both Chrome and Firefox browser extensions, which should get automatically updated without requiring any action by Grammarly users.

A Grammarly spokesperson also told in an email that the company has no evidence of users being compromised by this vulnerability.

“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At this time, Grammarly has no evidence that any user information was compromised by this issue,” the spokesperson said.

“We’re continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users.”

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides in the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.

For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance and load page faster by combining (on the server end) multiple JavaScript files into a single request.

However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.

Depending upon the plugins and modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the “load” parameter, separated by a comma, like in the following URL:

While loading the website, the ‘load-scripts.php’ (mentioned in the head of the page) tries to find each JavaScript file name given in the URL, append their content into a single file and then send back it to the user’s web browser.

How WordPress DoS Attack Works

According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the above URL, making the targeted website slightly slow by consuming high CPU and server memory.

“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user,” Tawily says.

Although a single request would not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible and bring it down.

The Hacker News has verified the authenticity of the DoS exploit that successfully took down one of our demo WordPress websites running on a medium-sized VPS server.

“It is time to mention again that load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” Tawily says.

However, attack from a single machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power and memory.

But that doesn’t mean the flaw is not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets and bandwidth to achieve the same goal—to take down a site.

So attackers with more bandwidth or a few bots can exploit this flaw to target big and popular WordPress websites as well.

No Patch Available – Mitigation Guide

[embedded content]

Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.

Knowing that DoS vulnerabilities are out-of-scope from the WordPress bug bounty program, Tawily responsibly reported this DoS vulnerability to the WordPress team through HackerOne platform.

However, the company refused to acknowledge the issue, saying that this kind of bug “should really get mitigated at the server end or network level rather than the application level,” which is outside of WordPress’s control.

The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers and making them unavailable for their legitimate users.

For websites that can’t afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked version of WordPress, which includes mitigation against this vulnerability.

However, I personally wouldn’t recommend users to install modified CMS, even if it is from a trusted source other than the original author.

Besides this, the researcher has also released a simple bash script that fixes the issue, in case you have already installed WordPress.

A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers.

Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment.

To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.“

Google’s Project Zero team researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the “DNS Rebinding” attack that allows any website to act as a bridge between the external server and your localhost.

Just last week, Ormandy revealed a similar vulnerability in a popular Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them.

By simply creating a DNS entry to bind any attacker-controlled web page with localhost (127.0.0.1) and tricking users into visiting it, hackers can easily send privileged commands to the Blizzard Update Agent using JavaScript code.

Although a random website running in a web browser usually cannot make requests to a hostname other than its own, the local Blizzard updater service does not validate what hostname the client was requesting and responds to such requests.

Blizzard DNS Rebinding Attack — Proof of Concept Exploit

Ormandy has also published a proof-of-concept exploit that executes DNS rebinding attack against Blizzard clients and could be modified to allow exploitation using network drives, or setting destination to “downloads” and making the browser install malicious DLLs, data files, etc.

Ormandy responsibly reported Blizzard of the issue in December to get it patched before hackers could take advantage of it to target hundreds of millions of gamers.

However, after initially communication, Blizzard inappropriately stopped responding to Ormandy’s emails and silently applied partial mitigation in the client version 5996.

“Blizzard was replying to emails but stopped communicating on December 22nd. Blizzard is no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution,” Ormandy says.

“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”

After the Ormandy’s report went public, Blizzard contacted and informed him that a more robust Host header whitelist fix to address the issue entirely is currently being developed for deployment.

Ormandy is also checking other big games vendors with a user base of over 100 Million to see if the problem can be replicated.

A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them.

The vulnerability has been uncovered by Google’s Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report.

Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.

However, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.

“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy said in a public report published Tuesday.

Proof-of-Concept Exploit Made Publicly Available

The PoC attack published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser.

Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack.

Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.

The daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests.

Ormandy found that a hacking technique called the “domain name system rebinding” attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user’s computer remotely with the help of installed daemon service.

Here’s How the Attack Works:

The loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites.

“I regularly encounter users who do not accept that websites can access services on localhost or their intranet,” Ormandy wrote in a separate post, which includes the patch.

“These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website “transfers” execution somewhere else. It does not work like that, but this is a common source of confusion.”

Attackers can exploit this loophole by simply creating a DNS name they’re authorized to communicate with and then making it resolve to the vulnerable computer’s localhost name. Here’s how the attack works:

A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.

The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.

When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.

Ormandy said the vulnerability (CVE-2018-5702) was the “first of a few remote code execution flaws in various popular torrent clients,” though he did not name the other torrent apps due to the 90-day disclosure timeline.

A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.

Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital’s My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.

Western Digital’s My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services.

The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.

Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers.

GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to inject their own commands and upload and download sensitive files without permission.

Noteworthy, James Bercegay of GulfTech contacted the vendor and reported the issues in June last year. The vendor confirmed the vulnerabilities and requested a period of 90 days until full disclosure.

On 3rd January (that’s almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched.

Unrestricted File Upload Flaw Leads to Remote Exploitation

As the name suggests, this vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.

The vulnerability resides in “multi_uploadify.php” script due to the wrong implementation of gethostbyaddr() PHP function by the developers.

This vulnerability can also be easily exploited to gain a remote shell as root. For this, all an attacker has to do is send a post request containing a file to upload using the parameter Filedata[0]—a location for the file to be uploaded to which is specified within the “folder” parameter, and a fake “Host” header.

“The [metasploit] module will use this vulnerability to upload a PHP webshell to the “/var/www/” directory. Once uploaded, the webshell can be executed by requesting a URI pointing to the backdoor, and thus triggering the payload,” the researcher writes.

Hard Coded Backdoor Leads to Remote Exploitation

Researchers also found the existence of a “classic backdoor”—with admin username “mydlinkBRionyg” and password “abc12345cba,” which is hardcoded into the binary and cannot be changed.

So, anyone can just log into WD My Cloud devices with these credentials.

Also, using this backdoor access, anyone can access the buggy code which is vulnerable to command injection and spawn a root shell.

“The triviality of exploiting this issues makes it very dangerous, and even wormable,” the researcher notes. “Not only that, but users locked to a LAN are not safe either.”

“An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as ‘wdmycloud’ and ‘wdmycloudmirror’ etc.”

Other Vulnerabilities in Western Digital’s My Cloud

Besides these two above-mentioned critical vulnerabilities, researchers also reported some other below-explained important flaws:

Cross-site request forgery:

Due to no real XSRF protection within the WD My Cloud web interface, any malicious site can potentially make a victim’s web browser connect to a My Cloud device on the network and compromise it.

Simply visiting a booby-trapped website would be enough to lose control of your My Cloud device.

Command injection:

In March last year, a member of the Exploitee.rs team discovered several command injection issues within the WD My Cloud devices, which can be combined with the XSRF flaw to gain complete control (root access) of the affected device.

Unfortunately, the GulfTech team also uncovered a few command injection flaws.

Denial of Service:

Researchers also found that since any unauthenticated user can set the global language preferences for the entire storage device and all of its users, it is possible for an attacker to abuse this functionality to cause a DoS condition to the web interface.

Information disclosure:

According to researchers, it is possible for an attacker to dump a list of all users, including detailed user information without requiring any authentication, by simply making use of a simple request to the web server like this: GET /api/2.1/rest/users? HTTP/1.1

Affected My Cloud Firmware Versions and Models

Western Digital’s My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are affected by all above-reported vulnerabilities.

A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site.

Identified as CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version 5.4.02.3 and earlier.

The Same Origin Policy or SOP is a security feature applied in modern browsers that is designed to make it possible for web pages from the same website to interact while preventing unrelated sites from interfering with each other.

In other words, the SOP makes sure that the JavaScript code from one origin should not be able to access the properties of a website on another origin.

[embedded content]

The SOP bypass vulnerability in the Samsung Internet Browser, discovered by Dhiraj Mishra, could allow a malicious website to steal data, such as passwords or cookies, from the sites opened by the victim in different tabs.

“When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a Javascript action, that Javascript can come in after the fact and rewrite the contents of that page with whatever it wants,” researchers from security firm Rapid7 explained.

“This is a no-no in browser design since it means that Javascript can violate the Same-Origin Policy, and can direct Javascript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom Javascript into any domain, provided the victim user visits the attacker-controlled web page first.”

Attackers can even snag a copy of your session cookie or hijack your session and read and write webmail on your behalf.

Mishra reported the vulnerability to Samsung, and the company replied that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.“

Meanwhile, Mishra, with the help of Tod Beardsley and Jeffrey Martin from Rapid7 team, also released an exploit for Metasploit Framework.

Rapid7 researchers have also published a video demonstrating the attack.

Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.

Security researchers have discovered multiple attack campaigns conducted by an established Chinese criminal group that operates worldwide, targeting database servers for mining cryptocurrencies, exfiltrating sensitive data and building a DDoS botnet.

The researchers from security firm GuardiCore Labs have analyzed thousands of attacks launched in recent months and identified at least three attack variants—Hex, Hanako, and Taylor—targeting different MS SQL and MySQL servers for both Windows and Linux.

The goals of all the three variants are different—Hex installs cryptocurrency miners and remote access trojans (RATs) on infected machines, Taylor installs a keylogger and a backdoor, and Hanako uses infected devices to build a DDoS botnet.

So far, researchers have recorded hundreds of Hex and Hanako attacks and tens of thousands of Taylor attacks each month and found that most compromised machines are based in China, and some in Thailand, the United States, Japan and others.

To gain unauthorized access to the targeted database servers, the attackers use brute force attacks and then run a series of predefined SQL commands to gain persistent access and evade audit logs.

What’s interesting? To launch the attacks against database servers and serve malicious files, attackers use a network of already compromised systems, making their attack infrastructure modular and preventing takedown of their malicious activities.

For achieving persistent access to the victim’s database, all three variants (Hex, Hanko, and Taylor) create backdoor users in the database and open the Remote Desktop port, allowing attackers to remotely download and install their next stage attack—a cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS bot.

“Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands,” the researchers wrote in their blog post published Tuesday.

“The anti-virus targeted is a mixture of well-known products such as Avira and Panda Security and niche software such as Quick Heal and BullGuard.”

Administrators should check for the existence of the following usernames in their database or systems in order to identify if they have been compromised by the Chinese criminal hackers.

hanako

kisadminnew1

401hk$

Guest

Huazhongdiguo110

To prevent compromise of your systems, researchers advised administrators to always follow the databases hardening guides (provided by both MySQL and Microsoft), rather than just having a strong password for your databases.

“While defending against this type of attacks may sound easy or trivial—’patch your servers and use strong passwords’—we know that ‘in real life’ things are much more complicated. The best way to minimize your exposure to campaigns targeting databases is to control the machines that have access to the database,” the researchers advised.

“Routinely review the list of machines that have access to your databases, keep this list to a minimum and pay special attention to machines that are accessible directly from the internet. Every connection attempt from an IP or domain that does not belong to this list should be blocked and investigated.”